SSH Agent Forwarding in Ubuntu's Gnome

It's been over two years since the bug was opened and the SSH agent built into gnome-keyring still does not support constrained identities, particularly the confirmation constraint.

If you are forwarding your SSH agent connection through an intermediate (or bastion) host and the intermediate host is compromised (or has an untrustworthy admin), your forwarded agent connection could be hijacked and your key could be used to access other hosts without your knowledge.  Therefore, when forwarding an SSH agent, it's important that your agent asks for confirmation before the key is used.  That way you will be alerted if your agent is used by someone else to access your key.

Because the SSH agent component in gnome-keyring does not support confirmation dialogs, it should be disabled if you want to use SSH keys in this way.  In order to do that, you must use gconf:

$ gconftool-2 --set -t bool /apps/gnome-keyring/daemon-components/ssh false

If that were the only bug in GNOME, the ssh-agent from openssh would take over on your next login and everything would be fine.  However, if you have seahorse-plugins installed (you probably do), you'll run into this bug.  The Xsession script provided by seahorse-plugins abuses a variable that is supposed to be available to all Xsession scripts, and in doing so, prevents ssh-agent from running.  You could edit the file to fix it, but it's perhaps better to just add another file that undoes the damage.  As root:

# cat > /etc/X11/Xsession.d/60seahorse-plugins-fix <<EOF
# This file is sourced by Xsession(5), not executed.
OPTIONS=$(cat "$OPTIONFILE") || true

Once that is done, you can add "/usr/bin/ssh-add -c" to your gnome startup items.


James E. Blair

I love hacking Free Software and have been fortunate to do so professionally with some wonderful people and organizations throughout my career. This is my blog.